mirror of https://github.com/OISF/suricata
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
34 lines
1007 B
ReStructuredText
34 lines
1007 B
ReStructuredText
1 month ago
|
PGSQL Keywords
|
||
|
|
##############
|
||
|
|
|
||
|
|
.. role:: example-rule-emphasis
|
||
|
|
|
||
|
|
pgsql.query
|
||
|
|
***********
|
||
|
|
|
||
|
|
This keyword is a sticky buffer that allows matching on the contents of
|
||
|
|
PostgreSQL's `query` request messages parsed by the engine. Note that this
|
||
|
|
buffer inspects only the `string` portion of the PostgreSQL message, skipping
|
||
|
|
other fields such as identifier and length, and focusing on the query itself.
|
||
|
|
|
||
|
|
Currently, it exposes the contents of the ``pgsql.request.simple_query`` field
|
||
|
|
from EVE output.
|
||
|
|
|
||
|
|
``pgsql.query`` can be used as a ``fast_pattern``
|
||
|
|
(see :ref:`rules-keyword-fast_pattern`).
|
||
|
|
|
||
|
|
Use ``nocase`` with this keyword to avoid case sensitivity for the matches.
|
||
|
|
|
||
|
|
Examples
|
||
|
|
========
|
||
|
|
|
||
|
|
.. container:: example-rule
|
||
|
|
|
||
|
|
alert pgsql any any -> any any (msg:"Simple SELECT rule";
|
||
|
|
:example-rule-emphasis:`pgsql.query; content:"SELECT \*";` sid:1;)
|
||
|
|
|
||
|
|
.. container:: example-rule
|
||
|
|
|
||
|
|
alert pgsql any any -> any any (msg:"Simple delete rule";
|
||
|
|
:example-rule-emphasis:`pgsql.query; content:"delete"; nocase` sid:2;)
|